The California Consumer Privacy Act of 2018 (CCPA) is the United States’ most comprehensive and stringent data privacy law.
Enacted in June 2018 and amended the following September, it gives Californians unprecedented powers to view, restrict the use of, and delete the data that for-profit companies collect about them. It also gives them the right to sue (the so-called “private right of action”) if a data breach results in the compromise of their information.
We provide a summary of the law in this post, but if you want complete details, check out our CCPA Compliance Guide.
What is the Reason for This California Law?
Unlike the European Union, which has the General Data Protection Regulation (GDPR), the United States lacks a cohesive set of data privacy requirements. Recognizing that the internet has increased privacy concerns, Californians for Consumer Privacy, a non-government organization, sent its suggestions for new consumer rights to privacy protection to the California Attorney General in November 2017.
The initiative led to the adoption of the CCPA, which intends to protect consumer data compromised as the result of a data breach. In June 2018, the California Legislature passed the bill. On September 23, 2018, Governor Jerry Brown signed amendments to the California Civil Code enforcing the measure.
While focusing in part on data security, this privacy law focuses less on networks, software, and systems and more on giving consumers control over data collection.
Does Your Business Need to Comply?
The CCPA applies to many companies doing business in the state of California as well as those outside the state who collect California consumers’ personal information. To fall under the CCPA’s regulatory umbrella, a business must meet one of any three requirements:
- Generates annual gross revenues of more than $25 million
- Receives or shares personal information of more than 50,000 California residents per year
- Earn at least 50 percent of its annual revenue from selling California residents’ personal information.
Non-profits and companies that do not meet any of these conditions are exempt.
What are the Penalties for Non-compliance?
Penalties for non-compliance can be harsh.
Since the CCPA is incorporated under the California Civil Code, businesses will be subject to lawsuits for data security breaches that improperly disclose consumer information. Statutory damages can be $100-$750 per California resident and incident, actual damages (if they are greater), or any other relief that the court determines.
Moreover, any intention violation can be fined up to $7,500 while unintentional violations can incur a fine of up to $2,500.
What are the Categories of Personal Information?
The California Consumer Privacy Act (CCPA) has a broad definition of personal information. In the interest of data privacy, the CCPA broadly defines “personal information” as information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The CCPA’s Categories of Consumer Information include
- Identifiers: real names, alias, postal address, unique personal identifier, online identifier, Internet Protocol address (IP address), email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
- Commercial information such as records of personal property; products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
- Biometric data such as fingerprints, face recognition, retina or iris information, hand patterns, height, weight, and eye color
- Internets or other electronic network activity information such as browsing history, search history, and information regarding the data owner’s interaction with a website, application, or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Education information that is not publicly available
- Inferences are drawn from any of the information identified here to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes
What Personal Information Must Be Provided Upon Request?
The CCPA requires businesses to provide, upon consumer request, the types of personal information it collects.
As part of this, businesses collecting identifiable information from California residents will need to provide at minimum a toll-free telephone number and website where people can request their information. Companies must disclose and deliver the information within 45 days of the request.
What is the Right to Know About Sold or Disclosed Personal Information?
If a business sells consumer information or discloses it to a vendor, the consumer can request the categories of information involved. However, it doesn’t stop there. Companies need to provide the categories of third parties to which it has provided the information, and identities and contact information of those third parties, as well.
The business must also provide commercial purposes for the disclosure or sale, or explain that no business purpose exists.
How to Comply with the ‘Right-to-Know’ and Disclosure Requirements?
Businesses must verify each customer access request, which means linking information the consumer provides to personal information the business has collected. For each verified request, they must identify the category or categories of information collected for the preceding 12 months.
If the business sold or disclosed information about the consumer, it must also provide names and contact numbers for the third party and the categories of information sold or disclosed to the third party for the preceding 12 months.
What is the Right to Say ‘No’ to the Sale of Personal Information?
Also called the “right to opt-out,” businesses that sell personal data must provide data subjects the option of saying “no” to the sale of their information.
How to Comply with the Right to ‘Opt-out’
The first step to compliance is a “clear and conspicuous link” on the homepage that says “Do Not Sell My Personal Information.” Although the law indicates that businesses don’t need to have this link on their homepage, it also specifies that businesses choosing not to incorporate the link need to maintain a second website just for California residents.
On the page, businesses need to outline their privacy policies and California-specific descriptions of rights. Moreover, the “Do Not Sell” page must clearly link to a California specific page detailing consumer privacy rights and opt-outs for the CCPA.
How ZenGRC Eases CCPA Compliance
CCPA compliance requires documentation collection, storage, and retrieval. And with more people interacting with vendors that interact with consumer data, and with employees monitoring consumer requests, CCPA compliance will require more communication internally and externally.
ZenGRC’s workflow tagging feature allows you to delegate tasks and follow their progress to ensure access requests get followed through to completion within the CCPA’s 45-day deadline. You can also review workflows to mitigate cyber risks and review controls within the organization necessary for maintaining opt-out and opt-in information.
If your enterprise uses ServiceNow for workflow management, ZenGRC has a connector to that solution that enables two-way communications, making it easier to comply with the CCPA and a host of other regulations, standards, and frameworks. Our integration connect ZenGRC with ServiceNow and a plethora of other popular business applications, and even allows you to program in your own.
At audit time, ZenGRC allows unlimited, in-a-few-clicks self-audits and has all your documentation ready for retrieval in our “Single Source of Truth” repository.
Isn’t it time to join the 21st century, and automate your CCPA compliance? Contact us for your free consultation, and embark on a compliance journey that’s worry-free with ZenGRC.